Re: [Mip6] bootstrap problem definition
Francis Dupont <Francis.Dupont@enst-bretagne.fr> Tue, 17 February 2004 15:05 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01637 for <mip6-archive@odin.ietf.org>; Tue, 17 Feb 2004 10:05:32 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1At6mW-0001iD-M7 for mip6-archive@odin.ietf.org; Tue, 17 Feb 2004 10:05:05 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i1HF53lc006476 for mip6-archive@odin.ietf.org; Tue, 17 Feb 2004 10:05:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1At6mU-0001f0-Uu for mip6-web-archive@optimus.ietf.org; Tue, 17 Feb 2004 10:05:03 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01498 for <mip6-web-archive@ietf.org>; Tue, 17 Feb 2004 10:04:59 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1At6mS-0005ws-00 for mip6-web-archive@ietf.org; Tue, 17 Feb 2004 10:05:00 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1At6l4-0005j7-00 for mip6-web-archive@ietf.org; Tue, 17 Feb 2004 10:03:35 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1At6jZ-0005U5-00 for mip6-web-archive@ietf.org; Tue, 17 Feb 2004 10:02:01 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1At6jY-00086o-Ls; Tue, 17 Feb 2004 10:02:00 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1At6is-0007ar-Du for mip6@optimus.ietf.org; Tue, 17 Feb 2004 10:01:18 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01148 for <mip6@ietf.org>; Tue, 17 Feb 2004 10:01:15 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1At6iq-0005R1-00 for mip6@ietf.org; Tue, 17 Feb 2004 10:01:16 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1At6hy-0005MM-00 for mip6@ietf.org; Tue, 17 Feb 2004 10:00:23 -0500
Received: from laposte.rennes.enst-bretagne.fr ([192.44.77.17]) by ietf-mx with esmtp (Exim 4.12) id 1At6hF-0005FG-00 for mip6@ietf.org; Tue, 17 Feb 2004 09:59:38 -0500
Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id i1HEwtL04765; Tue, 17 Feb 2004 15:58:55 +0100
Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.12.3/8.12.3) with ESMTP id i1HEwtSj000899; Tue, 17 Feb 2004 15:58:55 +0100 (CET) (envelope-from dupont@givry.rennes.enst-bretagne.fr)
Message-Id: <200402171458.i1HEwtSj000899@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: Jari Arkko <jari.arkko@kolumbus.fi>
cc: mip6@ietf.org, James Kempf <kempf@docomolabs-usa.com>
Subject: Re: [Mip6] bootstrap problem definition
In-reply-to: Your message of Mon, 16 Feb 2004 12:20:33 +0200. <40309971.90903@kolumbus.fi>
Date: Tue, 17 Feb 2004 15:58:55 +0100
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
Sender: mip6-admin@ietf.org
Errors-To: mip6-admin@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Id: <mip6.ietf.org>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
I have many comments about your bootstrap I-D: - first the problems in the abstract and in the introduction are not the same: in the abstract the home environment is dynamic and the mobile node does not know it enough. In the introduction the only problem of the mobile node is that it has lost the context, in particular the IPsec one (no security association of any type). Of course the problem you described, what I call "dynamic bootstrap", is even harder. - (1. intro) with IKEv1 the MN does not need to have a statically defined home address and the reason you gave is wrong: the home address is unknown during the phase 1. I agree that a static home address is easier because it makes authorization rules static, but this is not a requirement, just the case you have a chance to get implemented (:-). - dynamic home agent address discovery is a security nightmare: I agree we should not rely on it. - (2. MIPv6 conf) all MN-HA mobility signaling (not communications) are required to be protected by IPsec. - (3.1.1. Dyn H@ Assignment) dynamically assigned is not the opposite of statically configurated. And there are known extensions (widely implemented but not standardized) of IKEv1 to support dynamically assigned "internal" addresses. - Home prefix change is not a valid issue because the home agent can infer the new home address from the old one. - Same for duplicate address collision because the authorization stuff can, when it occurs, accept any address which is not in use or authorized for another client. - I don't understand the "addressing privacy" issue: the home address can be a RFC 3041 one. This even makes dynamic authorization easy (first come first served)... - (3.1.2 Dyn HA@ assignment) this is only about manual keying, isn't it? (note that IMHO the manual keying is very incompatible with dynamic bootstrap, I'd like to focus on the IKE case) - (3.2.1 AAA) Even I agree that IKE should be clearly integrated with an AAA system your statement that it can work only with certificates is not true. - Interconnected PKIs are poor replacements for a real AAA infrastructure but they (can) work. - IMHO the main advantage of an AAA infrastructure is some security properties for the care-of address, perhaps this is the only way to get more than a return routability check (included in IKE which uses many messages in both ways :-). - NAI == USER-FQDN, the real issue is AAA and NAI are user oriented when IKEv1 is system oriented. - (3.2.2 Opp/Local discovery) The idea of using the DNS to get infos about the home was in a very old message of someone from Digital in this list (I can grep into my archive to find the reference). - (3.3.1 Dormant mode MN) IPv6 prefix change is a matter of weeks or months. IMHO the real issue is not with nodes in low power dormant mode, but with MNs which are used every X months (every IETF meetings for instance :-). - (4. scenarios) The first scenario (no pre-existing relationship) has a little chance to work with IKEv1 which requires strong mutual authentication and authorization. - the second one is interesting and should be shown to VPN server sellers. IMHO this can be a good extension to standard VPNs, and there is no home address assignment issue as VPN stuff in general includes an "internal" address management. - if I understand the third scenario, the idea is to use the local AAA system for access control to do some kind of "local mobility"? - I don't understand the fourth/last scenario: there is no way to "turn" security associations. And IMHO IPsec people will be very against any attempt to define this kind of things. - you should add a reference to AAA/MIPv6 requirement document (draft-le-aaa-mipv6-requirements-03.txt) which was resubmitted by Frank Le (our editor) as AAA gives all you'd like: care-of assignment, home agent assignment, home address assignment, security properties for all of them, including for the care-of, fast or very fast creation of the first IPsec SAs, etc. So the (to come) solution document about dynamic bootstrap should be only when an AAA infrastructure is not available/used (:-). Regards Francis.Dupont@enst-bretagne.fr _______________________________________________ Mip6 mailing list Mip6@ietf.org https://www.ietf.org/mailman/listinfo/mip6
- [Mip6] bootstrap problem definition Jari Arkko
- RE: [Mip6] bootstrap problem definition Giaretta Gerardo
- Re: [Mip6] bootstrap problem definition Jari Arkko
- Re: [Mip6] bootstrap problem definition Francis Dupont
- Re: [Mip6] bootstrap problem definition Jari Arkko
- Re: [Mip6] bootstrap problem definition Francis Dupont